Risk and Strategy: What you need to know from Cisco’s Midyear Cybersecurity Report

For anybody who already considers me to be a “massive nerd”, you may not be too surprised to learn that I quite like my board games.

From strategic spy games to ‘Uno’ – and indeed everything in between – for me there is no better way to spend a Saturday night than gathered in the company of friends and family, creating argumentative stalemates with a Monopoly board.

During one recent games night, my friends and I decided to play the one game that can often take longer than the gap between UK General Elections – Risk.

For anyone who may not be aware of the game or its objectives, Risk is set in an age of political turmoil, before the invention of modern transportation.

You have a global map which is divided into 42 territories (6 continents), and the aim is to increase your army to the point where you control all the territories. You do this by challenging neighbouring territories owned by your fellow players, and whomever wins each battle depends on the roll of the dice.

I last played Risk about 20 years ago, so any of my learned tactics had long leaked out of my brain. So, I had no strategy whatsoever.

I was lucky enough to ‘own’ all of Australia, and a significant amount of Europe, from the beginning. This seemingly gave me a false level of confidence.

Using my stronghold in the South Pacific, I greedily decided to take on both China and Europe at the same time.

You can guess what happened. My armies became split, and I became unable to fight a war on multiple fronts. I was boosted out of every region, and lost Australia almost as quickly as I found it.

My alliances could see I was a sinking ship, and ultimately betrayed me for their own net gain (there was even an utterance of the famous Game of Thrones line, “The Lannisters send their regards…”, as Europe was brutally taken from my grasp).

Cisco has been publishing annual and midyear cybersecurity reports for nearly a decade now. The primary reason why we do this is to keep security teams, and the businesses they support, informed of known and emerging security threats and vulnerabilities.

We also try and help them think about the steps they can take to make their organisations more secure.

Our brand new report contains tantalising information about the rapid evolution of threats, and the magnitude of attacks that organisations are now facing. Compared to our Annual Cybersecurity Report, released in January, things have moved on at a dazzling pace in the last six months alone.

Whilst I was reading the report, it occurred to me that up until fairly recently, cyber criminals have been taking a very similar approach to how I played Risk that fateful Saturday night.

Little strategy was involved. Despite the odd targeted attack, the majority of cyber campaigns took on more of a ‘spray and pray’ approach.

There was collateral damage, definitely, but it was recoverable from.

Things have now changed, according to our report. Though they are still primarily motivated by financial gain, the aim of some cyber criminals now is to step things up a gear, and not just to attack, but to destroy in a way that prevents organisations from restoring their systems and data (i.e taking out their backups).

Here’s a key line from the report:

“The rapid evolution of threats and the magnitude of attacks that Cisco’s threat researchers and technology partners have been observing of late is troubling. There is a sense throughout the security community that actors in the shadow economy may be carefully laying the groundwork for campaigns that not only will have far-reaching impact, but also will be extremely difficult to recover from. They seek to eliminate the “safety net” that organisations rely on to restore their systems and data following a DDoS attack, a ransomware campaign, or any other cyber incident that severely disrupts their operations.”

Our researchers see the extent of this new era of ‘destructive’ attacks as very sinister activity, and as a precursor to a new and devastating type of attack that is likely to emerge in the near future: Destruction of service (DeOS).

This is the game of Risk played at its highest, most strategic level.

The good news is that much of our research also shows that, as a whole, organisations are developing a much better understanding of how and where cyber criminals operate.

However, one of the main threats to this positive trend, is the growth of the IoT.

Or, to put that more accurately, cyber criminals have seen the huge opportunity in being able to hack into IoT devices (those which haven’t necessarily been built with security in mind), and create large scale attacks using IoT botnets.

The report goes on to explain that we’ve seen evidence that most organisations aren’t fully aware of what IoT devices may be connecting to their network – such as smart metres, cameras, or thermostats. Many of these devices lag well behind desktop security capabilities, and are typically rarely patched or run outdated applications.

In addition, it’s not always clear who inside the organisation is responsible for addressing IoT compromises. Typically, once an IoT project is completed, that team moves onto the next one.

This is why it has never been more important for organisations to make cybersecurity a top priority.

Visibility is the key here – it’s about learning to see what you currently can’t see, and that means devoting the time and resources to ensuring you always know exactly what is in your IT environment…and that everything within it is deployed correctly, and securely and kept up to date.

This isn’t an easy task for organisations, especially considering how fragmented the security industry has made itself.

Which is why, as an industry, we need a customer-first approach. Businesses should be able to implement security solutions that will work best for them, and make the most of their existing investments.

Solutions which can communicate with each other, and work together to protect users and businesses, is the only way in which we can meet the challenge of cyber criminals who are determined to interfere with an IoT world.

As one of our threat intelligence experts, Martin Lee, has observed, we have a small window of opportunity to do something about this:

“As the world builds the infrastructure and deploys the devices that comprise the IoT, we as a society have the opportunity to apply the decades of good practices learned as part of the development of the Internet—including painful lessons about the importance of security.”

In addition to the IoT challenges, here are the top learnings from Cisco’s 2017 Midyear Cybersecurity Report:

Business email compromise may be an even bigger threat than Ransomware, because it has becoming a highly lucrative threat vector for attackers. According to The Internet Crime Complaint Center (IC3), $5.3 billion was stolen due to BEC fraud between October 2013 and December 2016. In comparison, ransomware exploits took in $1 billion in 2016. It’s a low-cost, high-return approach for criminals, which means it will likely grow as a threat vector.

Spyware is malware and is being underestimated. Spyware can steal user and company information, weaken the security posture of devices, and increase malware infections. Cisco studied three spyware families and found them present in 20 percent of the 300 companies in the sample.

Lack of visibility into dynamic IT environments, the risks presented by “shadow IT,” the constant barrage of security alerts, and the complexity of the IT security environment are just some reasons resource-strapped security teams struggle to stay on top of today’s evasive and increasingly potent cyber threats.

More and more cyber criminals are realising that they can infiltrate connected systems faster by breaching cloud systems. Some of the biggest breaches to date have started with the compromise and misuse of a single privileged user account in a cloud application.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.